1238832 - (bmo_csp) Implement Content Security Policy (CSP) for BMO

Status: NEW

(bugzilla.mozilla.org :: General, enhancement)

Description

[:glob ✱]

as per many discussions we need to do this in 2016.

from bug 600692 comment 16:

Hey there!  I was hoping we could get the conversation started again on CSP for BMO.  Although BMO isn't a terribly common source of XSS attacks, it is a particularly high-profile target.  As an ideal first CSP target, I was hoping we could implement something like this:

Content-Security-Policy: default-src https:

Namely, that we can load resources only over https, and we disable all inline scripts. When I apply that policy to BMO Prod, I get about a half-dozen on so minor inline script issues, several of which persist across multiple pages:

>bugzilla.mozilla.org/:23 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-AIORuFNrQVH7IxwhuN5eMPlxlUAf+owvn9V9f76XzJY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Something related to YAHOO.namespace -- looks easy enough to move to an external file; it's currently just a <script> in <head>

>bugzilla.mozilla.org/:77 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-/R3wm+GmaaPngJJakOUAzEEvIguO9JfVsV1BUEwW3ck='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Looks like it creates a hidden input for Persona or something -- should also not be too terrible to move to an external file

>bugzilla.mozilla.org/:154 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-2QBaTW8JqtEuH0xzTQOdcQjRPGIeXJOcPUAfzm7gask='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

More YAHOO stuff, just a <script> tag in <body>

>bugzilla.mozilla.org/:172 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-jj1BbCKfjIYDkQEtBwQzi98q2L/NTkCLvGPe7CzJhAs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

More YAHOO stuff, just a <script> tag in <body>

>bugzilla.mozilla.org/:281 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-j24qucoW1tDl3QPYeeP0bxGUvF0510fw+pWtBWgZ7QE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

An inline script that checks to see if the form is empty

>bugzilla.mozilla.org/:132 Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

<body onload=""> -- doesn't do anything


It looks like there's quite a lot of inline scripts inside BMO, but it shouldn't (hopefully) be too agonizing to move them to external files. Moving all of the JavaScript to external files is the first step in implementing CSP to disable inline scripts. Plus, as bonus, it should provide a minor performance boost, since the inline code won't be sent along with every page request.

Comment 1

[:glob ✱]

(In reply to Byron Jones ‹:glob› from comment #0)
> It looks like there's quite a lot of inline scripts inside BMO, but it
> shouldn't (hopefully) be too agonizing to move them to external files.

yup - there's a lot of work there.  it's something that we're unlikely to start looking at until at least q2, but it's on our roadmap.  there's complexity which to an outside eye unfamiliar with bugzilla "looks easy enough", however in many instances this isn't the case (if it was easy, it would already be done).


however as far as i can tell disabling inline scripts with CSP also disables inline styles.  that's going to be a major problem and one that we'll have to figure out at a later stage.

Comment 2

[Gervase Markham [:gerv]]

Might it make logical sense to tie this to the "force HTTPS" parameter?

Gerv

Comment 3

[:glob ✱]

(In reply to Gervase Markham [:gerv] from comment #2)
> Might it make logical sense to tie this to the "force HTTPS" parameter?

yes, good point (to allow non-https dev environments).

Comment 4

[April King [:April]]

> however as far as i can tell disabling inline scripts with CSP also disables inline styles.  that's going to be a major problem and one that we'll have to figure out at a later stage.

You can disable inline scripts while still allowing inline styles, eg:

Content-Security-Policy: default-src: https:; style-src https: 'unsafe-inline'